Pike Finance Loses $1.6M to ‘USDC Vulnerability’ Exploit

Hackers exploit “USDC vulnerability” to steal from Pike Finance for the second time in three days.

Hacker in the thunder clouds wirh lots of power.
Created by Kornelija Poderskytė from DailyCoin
  • Pike Finance has suffered a second attack in three days.
  • The first attack happened on April 26.
  • Both attacks are related to the same vulnerability.

Pike Finance has suffered a second exploit in under a week, losing over a million in assorted cryptos across the Ethereum, Arbitrum, and Optimism chains.

The Circle-backed decentralized finance (DeFi) protocol suffered the first attack on April 26, two days after it enabled USDC withdrawals via the CCTP protocol. Acknowledging that it lost 299,127 USDC in the aftermath, Pike Finance said the attack was due to a “USDC withdrawal vulnerability.”

Hackers Exploit ‘USDC Vulnerability’ for the Second Time

On May 1, Pike Finance alerted the X (Twitter) crypto community to the second attack, noting that “this exploit is related to the initial USDC vulnerability reported last week on the 26th of April.”


Per the alert, Pike Finance upgraded the spoke contracts and included an additional dependency within the smart contract code to pause the protocol following the first exploit. The dependency introduced new variables, resulting in the position occupied by the *initialized* variable being taken by other variables.

The protocol said this led to a “misalignment in storage mapping.”

“This misalignment caused the contract to behave as if it was uninitialized, since the *initialized* variable could no longer be accessed. As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and as a result, withdraw funds,” the protocol wrote.

The exploit resulted in the theft of over $1.6 million cryptos, including 99,970.48 ARB, 64,126 OP, and 479.39 ETH. Pike Finance offered a 20% reward for the return of the funds as it pursues an investigation.


Read how the Lazarus group evaded authorities after sealing $200M in crypto:
Lazarus Evading Authorities: Blockchain and Laundering $200M

Stay updated on a recent phishing attack on Velvet Capital:
Velvet Capital Goes Offline to Allay Frontend Phishing Attack

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Brian Danga

Brian Danga, a Kenyan crypto reporter, is dedicated to delivering breaking news and updates from the cryptocurrency world. With a background as a Web3 writer and project manager, he recognizes the importance of unbiased reporting. Holding an LLB degree from the University of Nairobi, Brian's analytical skills contribute to his accurate news reporting. His personal interests include cooking, watching documentaries, reading, and engaging in intellectual discussions.